Re: more attack?

Mon, 04 Sep 2006 18:44:41 -0700 

James G. Sack (jim) wrote:
While looking around for unfinished business, I looked at the errorlog from the ZMI. It works fine, but seems to be indicating an ongoing attack by some kind of bot: 

The log shows a new entry every few seconds!
 -aside from recent entry: googlebot, there seems to be a slew from
  220.181.19.83 (or 220.181.19.XXX)
 -thes requests seem quite suspicious:
  such as access http://www.kernel-panic.org/wiki/XFree86/wikipage
    the /wikipage suffix seems out-of-place
  or http://www.kernel-panic.org/wiki/LanBarnes/diffform
    where /diffform is unexpected
**********************************************************************

==> it seems that someone (besides google) is scanning all our pages and 
tacking on suffices of some sort -- some known exploit?

**********************************************************************


I'm intend to look around some more for unfinished business, but I 
thought I should announce the ongoing attack.


Josh?, anyone? C/Should we try to do anything about this.
How hard is it to interpose some (smart) request throttling?



more info:

the attacking site is chinese but has no dns entry
seems to alternate between 220.181.19.79 and 220.181.19.83
a series of
  KeyError: 'body'
errors is followed by a

  BadRequest: ..evidently the attack script passes invalid arguments, 
or something like that


nmap profile, in case this means anything to anybody is
- - - - - - - - - - - - -  - - - - -
PORT     STATE    SERVICE
22/tcp   filtered ssh
135/tcp  filtered msrpc
136/tcp  filtered profile
137/tcp  filtered netbios-ns
138/tcp  filtered netbios-dgm
139/tcp  filtered netbios-ssn
161/tcp  filtered snmp
162/tcp  filtered snmptrap
199/tcp  filtered smux
391/tcp  filtered synotics-relay
445/tcp  filtered microsoft-ds
705/tcp  filtered unknown
828/tcp  filtered unknown
873/tcp  open     rsync
1663/tcp filtered netview-aix-3
1723/tcp filtered pptp
1993/tcp filtered snmp-tcp-port
3001/tcp open     nessusd
3389/tcp filtered ms-term-serv
5800/tcp filtered vnc-http
5900/tcp filtered vnc
- - - - - - - - - - - - -  - - - - -


There is no evidence of damage. No "recent changes" anywhere that I can 
see, and no evidence that pages referenced have any additions or other 
mods (from an examination of a couple of pages whose names I have noted 
in the logs).



However, the log messages do persist -- one every 5-to-15 seconds 
(sometimes longer intervals ..50s)


Regards,
..jim

--
[email protected]
http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-steer






















					Reply via email to